In the walled garden of multiple system operator (MSO)-owned networks, an important security problem was prevention of unauthorized access and reproduction of high-value content. With the shift to open networks and Internet delivery, the operators no longer have complete end-to-end control over their delivery networks. This leads to several new attacks that, while not providing unauthorized access to content, allow disruption of service and unauthorized access to client devices.
Media segments and their descriptions (e.g., media presentation descriptions (MDPs)) are stored in various locations throughout their distribution network—they may be cached in nodes of a commercial content delivery network (CDN), then to nodes of possibly another CDN which is closer to the consumer, then, at a head-end of the service provider. In practice, some of those nodes may be malicious, in addition to the existence of potential tampering over the delivery channels between the nodes.
Firstly, an MPD may be changed by any malicious entity in this chain, thus completely hijacking a whole streaming session. This can be countered by either using a secure method of MPD delivery hypertext transfer protocol secure (HTTPS) and/or extensible markup language (XML) signature. Generally, for the purpose of this discussion assume that the client has the correct MPD and it was not tampered with, while the malicious entity has access to the MPD and has full access to the network as well.
Three main types of attack are considered: segment replacement, reordering, and modification. Complete denial of service to provide a segment (e.g., returning 404 instead of the segment) is always possible as well, but this can only be countered by providing several possible download locations and/or utilizing more than one CDN.
Straightforward content replacement or reordering is possible in three cases: when the requested segment is in the clear, when segments that are being replaced are consecutive, encrypted and placed in the same crypto-period, or when the intent is to disrupt the presentation, rather than substitute a segment with another playable one.
Examples of attacks are ad skipping (ads are replaced with the next segment from the movie), and service degradation (replacing high quality with low quality segments).
Generally the most vulnerable business model is when ad-supported digital rights management (DRM)-less content is provided, which is expected to be a fairly important model. The same threat generally affects public channels (such as C-SPAN in the U.S.), where content is transmitted unencrypted.
Segment modification is always possible in the clear and in any content using partial bitstream encryption. In the latter case encrypted bytes are signaled in unencrypted headers, so, for example, the actual protected elementary stream can be replaced with any arbitrary content in the clear. When the partially encrypted stream carries instructions that modify the client behavior in the clear, these can be used in order to modify the client behavior. In case of full segment encryption, segment modification will render a segment unplayable, possibly causing a decoder reset.
An example of such attacks (beyond plain replacement of encrypted content with other content in the clear) is adding ‘1 msg’ brand to ISO-FF segments in order to cause the client to quit a period early. Another interesting direction would be if there is a message containing the new MPD universal resource locator (URL) passed in the clear (though such functionality is currently not standardized); it is trivial to substitute this URL with a malicious one.
A malicious entity also may have access to keys that are used to encrypt and decrypt the content, when in-network transscrambling (e.g., re-encryption) is used. This way, content substitution is possible for encrypted content as well.
Similar attacks on non-media segments are also possible. In case of initialization and bitstream switching segments, modification can render the whole content completely or partially unplayable, while modified index files can at the least destabilize trick mode functionality.
Naïve segment modification is also possible, e.g., due to file corruption. Another naïve error that may be discovered this way is the use of an incorrect decryption key.
The discussion above only describes segments, however it is possible that a complete segment is never delivered, and bitstream switching is done at the subsegment level.